ENISA Issues Comprehensive Report On Deploying Honeypots

The European Network and Information Security Agency (ENISA), Europe’s cyber security agency, has released a new report focused on honeypots, and how these digital traps can most effectively be used by CERTs (Computer Emergency Response Teams) to detect cyber-attacks and sniff out malicious activity.

The lengthy 183-page honeypot report aims to provide an understanding of honeypot concepts, strategies for deploying honeypots, and recommendations on which honeypots may be useful in different scenarios.

Honeypots can be a powerful source of threat intelligence and are excellent solutions that can be used as a basis for creating larger systems based on networks of sensors or act as feeds for already deployed SIEM tools. They can also be used to help identify insider threats, ENISA reminded in the report.

As an added bonus, much of the technology need to achieve all this is already available for free as open source software.

The report explores strategies for deploying honeypots, ranging from setting up a single honeypot to creating a network of honeypots known as a “honeynet”. Additionally, the report dives into various hybrid honeypot solutions, early warning systems based on honeypots, and sandboxes and their possible usage by CERTs.

While the report was compiled with managers and technical staff of government CERTs in mind, it can also be valuable to any other CERT or enterprise security team.

“New CERTs can use the report to quickly learn which honeypot and sandbox technologies to focus on when deploying such solutions, while existing CERTs can identify technologies they may be missing,” ENISA explained. “They can also use the suggestions and findings in the report to engage in possible collaborative development efforts with researchers and other CERTs in order to aid their detection and incident handling process.”

While honeypots can be used as a sensor to detect unwanted or otherwise malicious activity, honeypots can also be used to study what happens after a network is compromised by an attacker, the report explained.

For example, according to Jan Goebel, a security expert from Siemens, turning a previously compromised system into a honeypot can be useful to closely monitor an attacker and find out what other systems in a network could potentially be compromised.

Honeypot Risks

While honeypots clearly have many benefits, it’s important that organizations understand some of the risks associated with deploying honeypots, especially when they are connected to organizational networks.

Honeypots are designed to interact with an attacker, and typically result in them gaining some level of control over a system—something that could be used to launch attacks and conduct other illegal activities. Such activities could be anything from hacking other systems, sending spam or spreading malware.

The report also warns that when compromised, the value of a honeypot is dramatically reduced, something that could provoke an attacker to avoid or bypass the honeypot network or even introduce misleading data into a honeypot, which can significantly hinder data analysis.

In order reduce the risks associated with honeypots, ENISA mentioned the importance of tightly controlling the network where the honeypots are deployed, including monitoring and controlling both incoming and outgoing traffic.

Additionally, the report cautioned to ensure that legitimate traffic does not end up on the honeypot, as that may trigger false positives.

Honeypots – Part of Every CERTs Toolkit

Overall, ENISA strongly suggests that honeypots should be an essential part of any CERT’s toolkit.

“Correctly deployed, honeypots offer considerable benefits for CERTs; malicious activity in a CERT’s constituency can be tracked to provide early warning of malware infections, new exploits, vulnerabilities and malware behavior, as well as give an opportunity to learn about attacker tactics,” said Professor Udo Helmbrecht, Executive Director of ENISA in a statement.

As part of its continued research and analysis on honeypots, the ENISA is asking CERTs to actively take part in the communities identified in the study, and provide feedback to its researchers involved in development of honeypots and related technologies.

“It has to be stressed that CERTs can also have great influence on how these technologies evolve and how they can be customized to simplify their usage, thus allowing them to be adopted on a greater scale," the report concluded.

A final note of importance that the ENISA mentioned, are the legal and ethical issues that could potentially exist with a honeypot deployment. "A study of these issues is outside the scope of this study. Nevertheless, we encourage CERTs to consult on the potential legal implications of usage of honeypots in their country/constituency with a legal counsel.”

The full 183-page report is a worthy read and can be downloaded here in PDF format.

For more than 10 years, Mike Lennon has been closely monitoring and analyzing trends in the enterprise IT security space and the threat landscape. In his role at SecurityWeek he oversees the editorial direction of the publication and manages several leading security conferences.